How can Blockchain, the digital distributed ledger technology so closely associated with “Bitcoin”—the cryptocurrency of choice for hackers—be used to mitigate the inherent risks of electronic health records? Can a hacker-born technology be used to secure our most sensitive personal health information? Simply, yes.

EHR: Fraught with Security Risk

From the moment it was required under the HITECH Act, the rollout of electronic health records (EHR) has faced challenges.[1] Although the goal of the Act was to improve the delivery of healthcare by incentivizing the implementation and meaningful use of EHR, it, without question, added a layer of complexity and risk in terms of data security.

Last year alone, there were 377 recorded security breaches in the health care sector.[2] This affected nearly 27 million patient records, often triggering mandatory breach notification requirements. Notably, these healthcare industry breaches expose more social security numbers than other sectors including business, education, financial, and government. This year alone, the number of compromised records is on pace to meet or exceed 2016 with major incidents including system hacking through open portals, phishing scams, user errors, and lost devices. The escalation of these attacks has caught the attention of emerging technology providers as well as governmental entities and has given rise to concerted efforts to find a more secure method to protect EHR.

Agencies Hunt for Emerging Technology Solutions

Government agencies, acknowledging the weakness of existing EHR systems, have called for a technology-based solution to the data security problem. Among the options considered by agencies, including the U.S. Department of Health and Human Services (HHS), is blockchain.

What is Blockchain?

Most people identify blockchain with Bitcoin and other cryptocurrencies, believing that it’s aligned with criminal transactions on the dark web. Yet blockchain is simply a digital ledger system incorporating protocols that validate transactions across a network of computers without a central repository. In a nutshell, a blockchain is a potentially unending way to store data on one chain, held on multiple systems, with heightened security and privacy protection.

The Blockchain Challenge and Governmental Acceptance

Blockchain has the potential to offer a secure solution to many governmental big data and privacy problems. Acknowledging this potential, in 2016, HHS launched the “Blockchain Challenge,” a contest seeking white papers on “Blockchain and Its Emerging Role in Healthcare and Health-related Research.[3]” The Office of the National Coordinator for Health Information Technology (ONC) received over seventy submissions that addressed how blockchain could be used to protect, manage, and exchange health data. The fifteen winning papers addressed unique applications that would innovate payment systems and redesign the transfer of EHR.

Not to be left behind, Congress is also exploring blockchain implementation and in early 2017 established the Congressional Blockchain Caucus.[4] Just this month, the Digital Chamber of Commerce held a Congressional Blockchain Education Day in Washington, DC to educate Congress on blockchain technology and its application.[5] With continuing government interest and investment, the likelihood that blockchain technology may end up as the backbone for healthcare transactions and data exchanges in the future is real. So, the question is, how will blockchain work as a solution to the EHR data security problem?

Solving the EHR Data Security Problem

The goal of EHR is to provide secure, accurate, and portable patient health data available across the healthcare system. Blockchain mitigates system risks by offering multiple data safeguards:

Enhanced Security. Data on the chain can be encrypted with both public and private encryption keys.

Controlled Access. Users with a certain decryption key can only view records that are unlocked with their key, making collateral and incidental disclosures nearly impossible.

Improved Accuracy. Transactions on the blockchain can neither be deleted nor changed.

Built-In Redundancy. While data is contained in one “chain,” the data is actually decentralized and constantly distributed and updated across multiple systems. If one system goes down, an exact and up-to-date copy can be obtained from a redundant system.

Decentralized Network. A central authority holding all the links or the keys to the blockchain is not necessary. With data stored in many, decentralized networks, there is no one key system that can be attacked.

Segmented Security. The security of the chain is built into the links that make up the chain. In order to decrypt one link, a hacker would have to decrypt the whole chain.

Autonomous Recordkeeping. There is no need for a record management party which reduces the risk of sending information to a third party.

It is this combination of technologies and principles that makes the blockchain an attractive solution to the data, security, and accessibility requirements that an EHR database would require.

Adopting Blockchain? Considering Data Security Solutions?

Whether blockchain turns out to be the solution for the protection of health care information or just one of a number of solutions, the objective to secure health data is a problem in dire need of a solution that is both effective and friendly. Blockchain provides at least a solution that requires serious consideration.

As HHS contemplates blockchain and other innovative technologies, your Butzel Long Healthcare and Emerging Technology attorneys will continue to monitor and update you on emerging industry trends. As you adopt these technologies or consider security solutions that address the risks inherent to EHR data, contact your Butzel attorney for the latest information on legal risks.

BUTZEL LONG

We would be pleased to communicate with you by email, but contacting us in this fashion does not create an attorney-client relationship between you and the firm. If you are not a current client of Butzel Long, please do not include any information in this email that you or someone else considers to be confidential or secret in nature. Prior to the establishment of a lawyer-client relationship through written agreement, unsolicited emails from non-clients containing confidential or secret information cannot be protected from disclosure.